Monday, May 16, 2011

New Version of Alureon Ups the Ante on Encryption

Via -

A new version of the venerable Alureon malware has appeared, and this one includes some odd behavior designed to prevent analysis and detection by antimalware systems. However, this isn't the typical evasion algorithm, as it uses some unusual encryption and decryption routines to make life much more difficult for analysts and users whose machines have been infected.

Alureon is a well-known and oft-researched malware family that has some rootkit-like capabilities in some of its variations. The newest version of the malware exhibits some behavior that researchers haven't seen before and which make it more problematic for antimalware software to detect it and for experts to break down its components.

Researchers at Microsoft took apart the newest version of Alureon and found that the malware now uses what is essentially a brute-force attack to decrypt its own encrypted components.


The Microsoft researchers found that not only did the new version of Alureon employ the encryption and decryption routine, but it also tries to complicate matters by spreading the encrypted data out all over the place.

"Interestingly enough, the encrypted buffer supplied as input for the decryption function is not found as a contiguous memory region but instead is scattered throughout the PE's image, being spread between code, data, resources, etc. This makes static recovery of the encrypted file more complicated," Microsoft's Marian Radu and Daniel Radu wrote in their blog post on the malware.

Older versions of Alureon, which also is known as TDL and TDSS, have included some other interesting capabilities, as well. A version discovered last November had the ability to bypass the driver-signing protection on Windows 7 and Vista that is meant to prevent malicious code from being loaded at start up. TDL4 was able to do this by changing the applications that Windows will allow to load an unsigned driver.

No comments:

Post a Comment